Superfish may make it trivial for attackers to spoof any HTTPS website.

Share this story

Lenovo is selling computers that come preinstalled with adware that hijacks encrypted Web sessions and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said.

The critical threat is present on Lenovo PCs that have adware from a company called Superfish installed. As unsavory as many people find software that injects ads into Web pages, there's something much more nefarious about the Superfish package. It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.

Even worse, the private encryption key accompanying the Superfish-signed Transport Layer Security certificate appears to be the same for every Lenovo machine. Attackers may be able to use the key to certify imposter HTTPS websites that masquerade as Bank of America, Google, or any other secure destination on the Internet. Under such a scenario, PCs that have the Superfish root certificate installed will fail to flag the sites as forgeries—a failure that completely undermines the reason HTTPS protections exist in the first place.

[Update: Rob Graham, CEO of security firm Errata Security, has cracked the cryptographic key encrypting the Superfish certificate. That means anyone can now use the private key to launch man-in-the-middle HTTPS attacks that won't be detected by machines that have the certificate installed. It took Graham just three hours to figure out that the password was "komodia" (minus the quotes). He told Ars the certificate works against Google even when an end-user is using Chrome. That confirms earlier statements that certificate pinning in the browser is not a defense against this attack (more about that below). Graham has a detailed explanation how he did it here.]

The adware and its effect on Web encryption has been discussed since at least September in Lenovo customer forum threads such as those here and here. In the latter post, dated January 21, a user showed a root certificate titled Superfish was installed:

He then went on to show how the certificate tampered with the HTTPS connection to a banking website, behavior that allowed Superfish to collect all data unencrypted.

Surprisingly, the behavior largely escaped the notice of security and privacy advocates, until now. On Wednesday evening, following several lengthy Twitter discussions about the overlooked behavior, security researcher Chris Palmer bought a Lenovo Yoga 2 Pro for $600 at a San Francisco Bay Area Best Buy store. He quickly confirmed that the model was pre-installed with the Superfish software and self-signed key.

When Palmer visited https://www.bankofamerica.com/, he found that the certificate presented to his browser wasn't signed by certificate authority VeriSign as one would expect, but rather by Superfish.

He saw the same Superfish-signed certificate misrepresenting itself when he visited other HTTPS-protected websites. In fact, there isn't a single TLS-protected website that wasn't affected.

Palmer was later able to confirm that the private key for the Superfish certificate installed on his Yoga 2 contained the same private key as a Superfish certificate installed on a different person's Lenovo PC. That means there's a good chance attackers could use the certificate to create fake HTTPS websites that wouldn't be detected by vulnerable Lenovo machines. At the time this report was being prepared, there were no reports of anyone testing and confirming the hypothesis, but several researchers agreed the scenario seemed highly likely.

No, certificate pinning won't save you

The Superfish software hijacks encrypted Web sessions no matter which browser someone uses. Worse yet, certificate pinning in Google Chrome will do nothing to alert users that something is amiss. As Google points out in a post explaining certificate pinning, the mechanism isn't set up to validate certificates chained to a private anchor, such as a root certificate installed in the operating system of the connecting device. "A key result of this policy is that private trust anchors can be used to proxy (or MITM) connections, even to pinned sites," the Google page warned. "'Data loss prevention' appliances, firewalls, content filters, and malware can use this feature to defeat the protections of key pinning."

Further Reading

It's not known exactly which Lenovo computers come with Superfish pre-installed. A Lenovo representative said in a forum that Superfish has been uninstalled and cited "some issues (browser pop up behavior for example)" as the reason. On Twitter Wednesday evening, a Lenovo representative reiterated that the adware was removed on new machines. But as Palmer's experience demonstrated, it's still possible to buy Lenovo PCs that have it pre-installed. And it remains unclear if there's an update mechanism in place to remove it from machines that already have it installed. It's also unknown if PCs from other manufacturers come with Superfish pre-installed. Readers should be aware that even after uninstalling the Superfish adware from their machines, the Superfish root certificate will remain.

[Update: Lenovo has released a statement saying Superfish was installed on consumer laptops shipped between October and December 2014. The manufacturer said it stopped preloading Superfish in January 2015 and has no plans to resume the practice. Amazingly, the company said it did "not find any evidence to substantiate security concerns," but added that it's responding to them anyway. People who are concerned their PC may contain this critical vulnerability can check at https://filippo.io/Badfish/. The website was designed by one of the same researchers who published a site to scan websites for the catastrophic Heartbleed weakness in OpenSSL.

The company's claim that it didn't add Superfish until October is at odds with this post from June, in which a Lenovo user complains that the very same program was causing problems connecting to the Internet.Correction: The post is dated December. Ars regrets the error.]

Superfish presumably installs the root certificates so it can inject ads into encrypted Web pages. By many people's standards, that's bad. But adware that breaks HTTPS connections and may make users vulnerable to man-in-the-middle attacks that are trivial to carry out is orders of magnitude worse. Stay tuned. We'll all be hearing much more about the Superfish debacle in the days and weeks ahead.

[Update: Lenovo has released a list of models that may have had Superfish installed.

Promoted Comments

I just hope that the official response (which MUST be coming soon) isn't "Oh, we thought you would like us to make your ads show you cheaper products", but "oh, we thought you would like cheaper computers". The former is total garbage, but the latter is at least truthful, as much as it doesn't excuse the behaviour.

Things they need to offer up ASAP:1) Very complete list of all computers affected (with those that aren't but were sold in this timeframe also called out as being clean), including regional variants if any difference2) Automated tool to fully remove ALL trace of this thing3) Manual steps to do the same, for those who reasonably no longer trust a random .exe

This is the sort of thing that can reverse a company's fortunes in an instant, if they can't give us a reasonable explanation (which they probably can't, because there isn't one that I can think of). Still, I'll probably keep buying ThinkPads, because they're just so much better than anything else (if you don't want to run OSX).

And this is why it's always been my policy to wipe every computer that I buy and reinstall the OS from scratch--not from a recovery partition or a OEM disc, but from an original disc image straight from Microsoft (I'll torrent it if I have to, and verify the SHA-1 hash with what Microsoft posts on their website--I have a valid key and license, so I have no qualms about it).

Paul Thurrott wrote a great how to for those users who may not know how to do this without having to preserve their recovery partition

As the article says, that won't remove the fake certificate. You either have to use the certificate manager or (preferably) install a clean OS. You should be able to check in the same way the picture in the article shows: Connect to a known good SSL site and check if the cert is issued by Superfish. That said, since the Helix is not a Lenovo bargain basement special, you're probably in the clear.

And this is why it's always been my policy to wipe every computer that I buy and reinstall the OS from scratch--not from a recovery partition or a OEM disc, but from an original disc image straight from Microsoft (I'll torrent it if I have to, and verify the SHA-1 hash with what Microsoft posts on their website--I have a valid key and license, so I have no qualms about it).

Removing program does not remove certificate, so if Sharkfish is gone you can open the certificate manager:Stat > Run > Type certmgr.mscYou'll need to be admin to do it.Then open folder: Trusted Root Certification Authorities then Certificates

I tried to buy a Lenovo PC once. After it took a month and a half to finally arrive from China (to what turned out to be the wrong address, no less), and I finally picked it up, it suffered a system board failure within a three weeks.

I'd like to say I never dealt with them again, but a family member recently gave me their Yoga 2 Pro in a trade. Now I'm glad that the very first thing I did was wipe the hard drive.

Wipe and reinstall any Windows pc you buy. Takes care of crapware and now malware. People on this site should know how to do it.

I did that the one and only time I bought a Lenovo laptop. When I had to send it back because the graphics card was defective, they tried to tell me they didn't allow returns on any computer where, and this is what the guy said "any new software has been installed." I called back five minutes later, got a different customer service person, and just told them to give me my money back because the graphics card was defective and they gave me no trouble. Still, I decided never to buy another Lenovo anything ever again.

I just hope that the official response (which MUST be coming soon) isn't "Oh, we thought you would like us to make your ads show you cheaper products", but "oh, we thought you would like cheaper computers". The former is total garbage, but the latter is at least truthful, as much as it doesn't excuse the behaviour.

Things they need to offer up ASAP:1) Very complete list of all computers affected (with those that aren't but were sold in this timeframe also called out as being clean), including regional variants if any difference2) Automated tool to fully remove ALL trace of this thing3) Manual steps to do the same, for those who reasonably no longer trust a random .exe

This is the sort of thing that can reverse a company's fortunes in an instant, if they can't give us a reasonable explanation (which they probably can't, because there isn't one that I can think of). Still, I'll probably keep buying ThinkPads, because they're just so much better than anything else (if you don't want to run OSX).

Just yesterday I read a review, on Ars Technica, of ThinkPad X1 Carbon and it looked so nice that I went to check the price in Lenovo online shop ... and almost (but not quite) bought one. It was sooo close.

Now I think a criminal investigation into hacking of customers computers, or at the very least a class action should follow and I promised myself to never ever buy Lenovo.

EDIT: now that Lenovo owns former PC servers division from IBM, I wonder how many sysadmins will trust their networks to new servers from company of shady reputation. My guess, not so many as to make the business viable.

And this is why it's always been my policy to wipe every computer that I buy and reinstall the OS from scratch--not from a recovery partition or a OEM disc, but from an original disc image straight from Microsoft (I'll torrent it if I have to, and verify the SHA-1 hash with what Microsoft posts on their website--I have a valid key and license, so I have no qualms about it).

Paul Thurrott wrote a great how to for those users who may not know how to do this without having to preserve their recovery partition

This is very serious. Anyone with a Lenovo laptop needs to change all their passwords, especially their banking passwords. Lenovo needs to come publically and state that they have potentially disclosed massive amounts of private customer usernames, passwords, and information.

If it turns out the NSA is behind this, I'm going to consider the move especially clever. Hiding behind already despicable adware to cover up your warrantless spying would be some Houdini-like misdirection.

The privacy advocate in me is outraged. It's hard to believe anyone with half a brain would have approved a deal with Superfish if they had known it was going to install a private root cert.

The software developer in me, though, is thinking, Hmmm, that'd actually be quite a fun bit of code to write...

In other news, I found a USB key on the street yesterday. I'm so paranoid now from years of Ars security articles I threw it out rather than plugging it in and seeing if I could locate the owner. It was probably somebody's homework. Sigh.

I did that the one and only time I bought a Lenovo laptop. When I had to send it back because the graphics card was defective, they tried to tell me they didn't allow returns on any computer where, and this is what the guy said "any new software has been installed." I called back five minutes later, got a different customer service person, and just told them to give me my money back because the graphics card was defective and they gave me no trouble. Still, I decided never to buy another Lenovo anything ever again.

How is this different from the support experience of any other large OEM? Terrible, all.

EDIT: now that Lenovo owns former PC servers division from IBM, I wonder how many sysadmins will trust their networks to new servers from company of shady reputation. My guess, not so many as to make the business viable.

Any company that doesn't immediately image or wipe/reinstall any system they get from an OEM deserves their crapware. I'd actually consider them negligent and lazy for trying to use the OEM install, to say nothing of potentially risking unknown software. This just proves that sysadmins shouldn't be lazy.

It's a big deal, and I'd like to know WTF happened as much as anyone, but calls for criminal charges and the like are a little premature at this point.

This is very serious. Anyone with a Lenovo laptop needs to change all their passwords, especially their banking passwords. Lenovo needs to come publically and state that they have potentially disclosed massive amounts of private customer usernames, passwords, and information.

Heh. Laptop? I have to go to work and explain this to the boss because I signed off on dumping dell with Lenovo desktops.

I did that the one and only time I bought a Lenovo laptop. When I had to send it back because the graphics card was defective, they tried to tell me they didn't allow returns on any computer where, and this is what the guy said "any new software has been installed." I called back five minutes later, got a different customer service person, and just told them to give me my money back because the graphics card was defective and they gave me no trouble. Still, I decided never to buy another Lenovo anything ever again.

How is this different from the support experience of any other large OEM? Terrible, all.

EDIT: now that Lenovo owns former PC servers division from IBM, I wonder how many sysadmins will trust their networks to new servers from company of shady reputation. My guess, not so many as to make the business viable.

Any company that doesn't immediately image or wipe/reinstall any system they get from an OEM deserves their crapware. I'd actually consider them negligent and lazy for trying to use the OEM install, to say nothing of potentially risking unknown software. This just proves that sysadmins shouldn't be lazy.

It's a big deal, and I'd like to know WTF happened as much as anyone, but calls for criminal charges and the like are a little premature at this point.

This is very serious. Anyone with a Lenovo laptop needs to change all their passwords, especially their banking passwords. Lenovo needs to come publically and state that they have potentially disclosed massive amounts of private customer usernames, passwords, and information.

Anyone with a Lenovo with this certificate, which is only the latest Yoga and IdeaPad line so far. As far as anyone can tell, no other Lenovos are in danger, and no other mystery certs have been found.

I figure Lenovo did this with no ill thoughts in mind but failed to really look into the software they bundled to see how it operated... still, might think anything with a name like 'superfish', would raise eyebrows.

I did that the one and only time I bought a Lenovo laptop. When I had to send it back because the graphics card was defective, they tried to tell me they didn't allow returns on any computer where, and this is what the guy said "any new software has been installed." I called back five minutes later, got a different customer service person, and just told them to give me my money back because the graphics card was defective and they gave me no trouble. Still, I decided never to buy another Lenovo anything ever again.

How is this different from the support experience of any other large OEM? Terrible, all.

EDIT: now that Lenovo owns former PC servers division from IBM, I wonder how many sysadmins will trust their networks to new servers from company of shady reputation. My guess, not so many as to make the business viable.

Any company that doesn't immediately image or wipe/reinstall any system they get from an OEM deserves their crapware. I'd actually consider them negligent and lazy for trying to use the OEM install, to say nothing of potentially risking unknown software. This just proves that sysadmins shouldn't be lazy.

It's a big deal, and I'd like to know WTF happened as much as anyone, but calls for criminal charges and the like are a little premature at this point.

Nuke and pave isn't exactly an option for small businesses.

If you're going to be a cheap bastard, then you either have to trust your OEM (Dell Optiplex is the only one I know of that comes crapware-clean), have your PCs custom-built, or live with the possibility that some software or driver is malicious or hijackable. Of course, that's always a danger of drivers in general. :\

Still, I don't understand how an enterprise agreement isn't an option for a small company buying a number of PCs. It's an extra expense, but it's only 10-20% more, not 100% more. It's not wonderful, but peace of mind is worth money, too.

I did that the one and only time I bought a Lenovo laptop. When I had to send it back because the graphics card was defective, they tried to tell me they didn't allow returns on any computer where, and this is what the guy said "any new software has been installed." I called back five minutes later, got a different customer service person, and just told them to give me my money back because the graphics card was defective and they gave me no trouble. Still, I decided never to buy another Lenovo anything ever again.

How is this different from the support experience of any other large OEM? Terrible, all.

EDIT: now that Lenovo owns former PC servers division from IBM, I wonder how many sysadmins will trust their networks to new servers from company of shady reputation. My guess, not so many as to make the business viable.

Any company that doesn't immediately image or wipe/reinstall any system they get from an OEM deserves their crapware. I'd actually consider them negligent and lazy for trying to use the OEM install, to say nothing of potentially risking unknown software. This just proves that sysadmins shouldn't be lazy.

It's a big deal, and I'd like to know WTF happened as much as anyone, but calls for criminal charges and the like are a little premature at this point.

No sysadmin is going to replace firmware which comes with the supported hardware they just purchased. Well "no" is slight exaggeration but you get the point.

I figure Lenovo did this with no ill thoughts in mind but failed to really look into the software they bundled to see how it operated... still, might think anything with a name like 'superfish', would raise eyebrows.

As the article says, that won't remove the fake certificate. You either have to use the certificate manager or (preferably) install a clean OS. You should be able to check in the same way the picture in the article shows: Connect to a known good SSL site and check if the cert is issued by Superfish. That said, since the Helix is not a Lenovo bargain basement special, you're probably in the clear.

this should be a top "editor's pick" promoted post, in favour of those affected